Schneier on Security
A blog covering security and security technology.
« Security Lessons of the Response to Hurricane Katrina |
| Lance Armstrong Accused of Doping »
September 6, 2005
Identity Cards Don't Help
Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques to identity cards, especially the "chip and PIN" system that is currently being adapted in the UK. Her analysis: the security measures don't help:
"There are various strategies that fraudsters use to get around the pin problem," she said. "One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody's card and then find out the pin.
"So the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale."
Reliance in the technology actually reduces security, because people stop paying attention:
"One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions," Dr Finch said. "Point-of-sale staff are told to look away when people put their pin number in; so they don't check at all."
Some strategies relied on trust. Another fraudster trick was to produce a stolen card and pretend to misremember the number and search for it on a piece of paper.
Imagine, she said, someone searching for a piece of paper and saying, "Oh yes, that's my signature"; there would be instant suspicion.
But there was utter trust in the new technology to pick up a fraudulent transaction, and criminals exploited this trust to get around the problem of having to enter a pin number.
"You go in, you put the card in, you type any number because you don't know what it is. It won't go through. The fraudster -- because fraudsters are so good with people -- says, 'Oh, it's no good, I haven't got the hang of this yet. I could have sworn that was my number... I've probably got it confused with my other card.'
"They chat for a bit. The sales assistant, who is either disinterested or sympathetic, falls back on the old system, and swipes the card through.
"Because a relationship of empathy has already been established, and because they have already become accustomed to averting their gaze when people put pin numbers in, they don't check the signature at all.
"So fraud is actually easier. There is very little vigilance at the point of sale any more. Fraudsters know this and they are taking advantage of it."
I've been saying this kind of thing for a while, and it's nice to read about some research that backs it up.
Other articles on the research are here, here, and here.
Posted on September 6, 2005 at 4:07 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Yeah, I especially liked the part where she said she swapped IDs with a male and nobody stopped her/him from using someone else's ID:
"As part of our research - my colleague is male - we have been using each other's cards to buy things. And not once in the whole period that we did this, did anybody say to me, 'This is a man's card, this isn't your card.'"
It seems her research did not include trying to get into a university-town bar in the US for a beer.
This is actually dependant on the country. Here in Germany the chances of the salesperson checking signatures is pretty high, my guess would be well above 80%.
On the lighter side: a site that's currently down, but has great "art" is John Hargrove's Credit Card Pranks:
He was able to pay by signing with all kinds of abstruse names and even "drawings". (Elmar Fudd, Porky Pig, Egyptian hieroglyphics, geometrical figures etc.)
I've been of the view for a while that the only reason chip and pin will be "more secure" is because there will be no way for customers to repudiate a transaction unless they can prove their card has been stolen.
If you pin becomes known, and the number copied, then it would seem to me to be game over.
The number of fraud situations I can think of is scary. What happens if a cashier and whoever monitors the security camera system ?
How long before there's hacked card readers that can intercept the PIN key strokes and the card number ?
Just how secure is the chip ? etc etc.
The piece should be headed "chip and PIN doesn't help". A credit card isn't the same, and doesn't have the same function, as an identity card.
Apart from this, I observe that in several countries, people have been paying at cash registers with chip and PIN cards for many years. Here in Canada, it is used all the time, often for transactions of 5$ or less. I fail to understand what's the special problem about the newly introduced British cards.
There's a fallback system (the old one that doesn't require the PIN), so that those who can't figure out the new system or otherwise have trouble can still make their purchases.
What they've done is to put a toll gate in the middle of a desert. The law-abiding people pay the tolls; those less interested in doing so simply go around.
A "toll gate in the middle of a desert" can be a useful starting point for getting to a toll gate with very long fences on both sides.
One can imagine a gradual process where using the fallback system is phased out:
1) requiring the cashier's supervisor to approve
2) in addition, requiring the cashier's supervisor to personally interrogate the customer
3) in addition, requiring extra customer ID.
Here in South Africa I use a debit card for most of my purchases to reduce the need to carry cash (a hight risk). Even though a PIN is needed for these transactions, most vendors also *require* a signature. I don't recall my signature being compared to that on my card even once in the last two years.
The same is true for my very few credit card purchases - no checking of signatures.
Is this just bad training, social conditioning (as Emily Finch said), or is there over confidence in the authorisation process?
Has anyone read Dr Finch's actual paper, or seen presentation slides? I've been looking and not found a copy yet. From the look of it, Bruce's comments are based only on the press reports.
Personally, I found the press reports (of which there are a great many, so there has been at least a "PR success") of very limited interest, in that they mention obvious concerns and only anecdotal experiments or interviews, rather than any "hard science". Also, there is no mention of the experiences in France with chip&pin over many years.
Hence my interest in trying to establish whether anything has actually been added to the sum of human knowledge.
In Spain whenever you pay using a credit card your identity it's checked with you ID (DNI), always, it's required, and if you don't have the ID you can't pay with the credit card.
As I said in a previous post the ID (DNI) has more security measures that note banks, so it's less difficult to make false note banks than to make false IDs. The end result it's that there are almost no false IDs.
Well as long as you add technology somewhere to make life normally better what you actually sell to people is "forget about it we'll do it fr you".
Now is that so bad? No!
The problem you raise is not so much about the technology IMO but about people and there responsability... but it's the same for anything in life anyway.
I don't say we shouldn't care but I think you don't focus on the right issue there...
It's like the cars business. They have more and more power and go faster and faster but we still can't go any faster. I mean there is something wrong there? Besides since the cars now are much safer, people are less aware of the danger they run when driving faster.
Now does it mean the technology is in fault? No it's a society issue IMO.
I've noticed that the chip cards don't actually need a PIN.
Tesco, one of the largest supermarket chains in the UK, has self-service tills, and they don't require you to enter a PIN, you just swipe and go.
They use the same system at unmanned 24-hour petrol pumps.
This means the only real security is for card companies, it makes it harder to produce counterfeit cards.
I wonder if they care wether or not the usage is legitamate.
S a m
I live in Sweden, and here standard practice (mayber 80%,) is to check your driver's licence picture any time you use your credit card. I was impressed.
IMHO Card + PIN is a good start (it has been the standard payment method in Germany for quite a while, our bank cards work like that for decades, the old Signature-based payment methods have almost everywhere been abolished), but it creates new issues:
- as has been mentioned, fake pin readers, sometimes used quite creatively:
Over here, bank doors require your card to let you in to the ATMs after business hours - WITHOUT pin. Some creative criminals added a PIN reader to these doors and captured lots of PINs. A kind of real-world phishing.
- something that has been done right here: pin readers are integrated with the card reader as separate, bank certified devices, so it is next to impossible eavesdropping on the electronic communication (but still possible to use fully faked devices)
- people watching you, or using miniature cameras, possibly hidden in a convenient corner of the ATM surroundings
- one report was about a miniature card reader (our cards still carry magnet stripes) fixed in front of the real card reader
- the card's security itself is poor: given a card, it is possible to deduce a valid PIN (yes, that reads 'a', not 'the') from a hash that is stored on the magnet stripe. The chances that such a PIN passes the online verification is quite high.
- a fallback mechanism helping you: if no online connection to the bank is possible due to technical failure (for example, stormy weather in a remote village), then the PIN is compared to the magnet stripe's hash only. Anyone could change that hash to a convenient, known value.
- same fallback: reset the "number of false PIN attempts" counter and check as many pins as you like on an offline ATM
- apparently non-uniform randomness in PINs: there has not been statistical research, but given several examples of old PIN numbers of various people, it looks as if PIN numbers are too regular
And so on. We may have closed most social issues, but due to the closed aspect of the technological aspects and a mere 4 numeric digits in our PINs, it is technologically sub par.
"Now does it mean the technology is in fault? No it's a society issue IMO."
It's more complicated than that. Security is a system, and it makes sense to re-evaluate the security of the system when something changes.
In many cases, adding a particular technology to the security system reduces the system's effectiveness. Usually it's not the direct fault of the technology; it's -- as you say -- a society issue. But still, as someone who is paying for the added technology, I'm not getting my money's worth.
"I've noticed that the chip cards don't actually need a PIN."
Similarly, there are credit-card systems in the U.S. that don't require signatures: fast food, gas pumps, etc.
This makes perfect sense to me. The amount of money involved is small, and the liklihood that a criminal would use a stolen credit card to buy gas or burgers -- as opposed to something more easily convertable back to cash -- is low. In those instances, it makes more sense for the merchant to save money not checking for fraud and pay out the occasional fraud instance.
Here in Germany, our bank ATM cards are also used as debit cards since many years. Two systems are in use: POS (Point-Of-Sale) uses the card (mag stripe) and PIN number. POZ uses the card and the customer's signature.
For years, POZ had been more popular with merchants since the fees are considerably lower than with POS. However, the bank doesn't guarantee the payment (but there is insurance available for merchants). Since about a year, more merchants are switching to POS because of a steep increase in stolen bank cards. Also, the banks want to sundown the POZ system at the end of 2006 (POS means more profit for them).
For the customer, POS has a number of disadvantages. PIN entry can much easier be overlooked in a crowded store than at an ATM. The device could be fake or tampered with, as a customer you can only trust the store or pay cash. It would be easier if there would only be one device in use but, unfortunately, there are several. Repudiation of a POS transaction is next to impossible if you haven't reported your card as lost or stolen.
PS: The PIN randomness problem mentioned in another comment existed with older cards which, IIRC, were replaced by 2003. To my knowledge, offline PIN verification is no longer possible with the current bank cards in Germany.
@Bruce, small amounts of money to purchase gas... have you visited the UK recently ;-)
How to break chip and pin.
Lets hypothesis that a pin is more secure than a signature. Security as we know relies on the weakest link, so if it were possible force a card to permit the use of a signature it would be easier to break chip and pin. Agree?
Given a card and pin simply enter the wrong pin x times (I think x=3), the pin will now be blocked. Every store will now request a signature because the pin isn't working...
Incidently an error message `pin blocked' will be displayed, very few staff actually knows what this means.
As Bruce noted above there are systems in the US that don't require a signature. I'd argue that nearly all credit card (CC) systems in the states don't require a signiture though. Social engineering (as noted in the study) and plain negligence on the part of the cashier play a huge role here.
IMHO this situation eventually it becomes a case of the back door. If you go to the store to buy something and your card doesn't work, but it should you become an angry consumer and the card company has to deal with you, costing them time, money, and possibly the loss of a customer (see loss of money). So they place a certain amount of trust on the merchant, and give them a way to back-door the system in essence authorizing the transaction. This is a lot like instances where network administrators put back doors into their auth systems to give themselves (an obviously trusted user) short-cut access to the system, only to turn around and have their own personal short-cut exploited. Funny how that works.
It can be a good source of humor at the same time i guess. This is an extremely funny and surprisingly related link.
On a side note: When I got my new credit card a few weeks ago I didn't sign it, I wrote "See ID" on the back instead, as in "please check my drivers license". I'd say I get my license checked roughly 10% of the time now. This is with one except though: when on vacation in Massachusetts a little while back they checked my ID all the time ... and it got really annoying.
> The amount of money involved is small, and the liklihood that a criminal would use a stolen credit card to buy gas or
> burgers is low.
Of course, from the credit card company's point of view, the real likelihood to worry about is the likelihood that a criminal uses the card, that the purchase is then noticed by the true owner, and that the true owner then actually disputes the charge.
in my last poste I put "none" in the URL block. This however linked the "Posted by: flip" link to a website for some band unintentionally (thorugh some crazy redirects it seems). This is not my personal site, lol.
In the US even when a signature is required it is usually not checked because the risk of fraud is so small that the merchants much rather pay in that instance. However, try to do an expensive purchase and just go by the signature. You'll probably find that the merchant will actually call in the the purchase to protect themselves. I know they did that when I used the card for a car dowpayment and also when I bout my wife's wedding ring. It is all a matter of balancing the losses with the cost of making them dissapear. As long as the direct cost of the fraud is not passed to the involved card owner then the system should self regulate pretty good, as it has so far.
In countries like Argentina some "fraudsters" have devised a better way to use the card without having to resort to high-tech solutions to retrieve the PIN. They don't even need to take your card, leave fingerprints or even personally approach the ATM. They just drive the victim around and have him or her pull out cash from different ATMs at gunpoint; shall the victim fail to comply, then the operation is finished, with all the consecuences that implies.
Note that criminals have been less and less afraid of shooting their victims over here in recent years. Some particular nasty ones may not be impressed at all by cooperating victims, and decide that it's too risky to give them a chance to talk to the authorities afterwards.
"The amount of money involved is small, and the liklihood that a criminal would use a stolen credit card to buy gas or burgers -- as opposed to something more easily convertable back to cash -- is low"
The local Home Depot (building supply store) has "self-service" checkout kiosks. I have purchased many times and while an electronic signature is required, it is never verified (not that most electronic signatures could be verified anyway based on the scribbles most POS pad devices produce). So, it ends up essentially a swipe-only type of system. Most of my purchases have been under US$100, so I don't know if "alarms" would trigger an attendant if one tried to purchase a US$500+ drill (or some other relatively small and expensive item) at a self-service kiosk.
As pointed out by others here, Home Depot is weighing the risk of their cost savings associated with self-service checkout against the risk of fraud.
"there are credit-card systems in the U.S. that don't require signatures: fast food, gas pumps, etc."
True, but many gas pumps now require zip code confirmation. In addition, standard cards are not allowed to pump more than a nominal amount, such as US$75, and gas pump authorization controls are often used to detect and flag multiple small amounts. So a signature is not required but other controls are being implemented. And that's not to mention the surveillance data on people at the pumps and their license plate, etc.
Yeah I did learn that from one of your boo to be honest :)
I didn't put enough nuance in my statement. I totally agree that technology can be wrongly integrated into a working system and break its effectiveness. My point was more to say that it's the our use of technology which is much in fault rather than a chipset or a protocol.
Anyway I'm far from having your expertise in that area :)
@Joerg: IMHO Card + PIN is a good start (it has been the standard payment method in Germany for quite a while, our bank cards work like that for decades, the old Signature-based payment methods have almost everywhere been abolished)
I find this claim puzzling. Money transfer (Überweisung) is still signature based, if I'm not mistaken, and it's certainly a standard payment method in Germany. Credit cards as well are still signature based. It's only bank ATM cards that are PIN based, and I'm not aware that they are widely used as debit cards, certainly not for decades. It may be remarked that credit cards have much less importance in Germany than in North America, so in that sense only, more use is made of PIN cards than of signature based cards.
On the broader issue, I think if something is wrong with the British PIN credit cards, it's the superimposition of a new authentication system on an already established one, which involves new vulnerabilities as discussed in this thread. It looks like bad design to me, especially given that credit cards are supposed to work worldwide which means that PIN cannot be enforced in Britain alone.
Here in Finland, I don't need a PIN to pay with my bank card (though it does have one, for use in ATMs). The card is swiped and I sign the bill, just like with a credit card.
The funny thing is in the procedure: I give my card, they swipe it, the machine makes a small printout, they hand me the card and the printout, I sign the printout and give it back. At no point do they have both the card and my signature! There's not even an opportunity to compare them.
This changes when paying larger amounts at once, though. Then they will ask for a picture ID. But they still don't check the signature.
@Bruce, I think you missed my point
The need for both a card *AND* a PIN is a red herring, there is no security.
You only need a card, knowing the PIN is neither here nor there.
The change in the cards was the addition of chips into the card, before that it was just magnetic strips.
The chipped cards are considered more secure, but it is really better security for the card companies and not for the consumer.
Ideally you would want a situation where a card cannot authenticate without a PIN, the key returns gibberish if not correct.
Now addmittedly I can order items over the phone without a PIN, so I'm just blowing hot air.
"I've been saying this kind of thing for a while, and it's nice to read about some research that backs it up."
Yes I have on these blogs for quite some time ;)
The real problem is that Chip and Pin was brought in for the banks to get around the "Consumer Credit Act" that would normaly protected the consumer if their card was stolen / used fraudulently / phantom withdrawels / etc. It has been tried before with SET but that failed as consumers still had choice.
As I have noted several times before Fraud has GONE UP since Chip-n-Pin not down, however the Banks in general disclaim all responsability, and have returned to the old agressive ways of intimidating customers into accepting the loss.
Worse is that the card is a combined everything card (All your financial eggs in one basket). I had an ATM card and nothing else as I considered the security poor, on Credit / Switch / Debit / Solo / Vesa Electron / etc. Now I realy have no choice it's Chip-n-Pin or move your account, the trouble is that they all only offer Chip-n-Pin... About the best you can do is remove the signiture strip (it has lots of little "voids" under it) and run a very strong magnet over the mag stripe, the problem is that not all the cash machines are chip enabled yet.
I have tried embarising the bank concerned (Halifax) into sorting out the problem, they are not interested, so at the present time (as I have returned my Chip-n-Pin) I present my passport and talk very loudly at the counter about how bad the Chip-n-Pin card security is and how easy it is to defraud so that all the other customers hear it. I have the very very vague hope that eventually enough people will get the message and press for change...
The reason Spain insists on ID cards, is that they had very high levels of mag stripe card crime. They introduced a Smart card system that was great, the fraud droped to next to nothing almost overnight. Then it started to rise rapidly towards it's previous levels, the trouble was it was a very easy system to defraud (cross the boader). The banks there have become paranoid about cards ever since.
Also in French banks you have to present your ID card or pasport when getting money, although in the French case the cards are not really very secure for a number of reasons.
The ID card issue is seperate from the chip & PIN system -- they're both different solutions to only vaguely related problems.
At the moment, someone who forgets their PIN, or pretends to forget their PIN with a stolen card, can fall back to the old signature method. However, this is only for the transition period, and before the end of the year, the option to "override" the PIN will be taken away. That way, the PIN is required for the transaction.
It is true that giving your card and PIN to someone else is unlikely to be checked. However, fraud in this case is the responsibility of the cardholder, not the bank or the retailer. Hence there is (rightly) no incentive for the retailer or bank to check the details. Giving your card and PIN to someone else is no different to giving them a signed blank cheque -- it's stupid unless you have absolute trust in them.
Fraud will go up while chip & PIN is being implemented -- there is no way to have a smooth transition between the two authorisation methods. Saying that chip & PIN is insecure because of this is foolish. The time to review chip & PIN is when it has been fully implemented.
"Fraud will go up while chip & PIN is being implemented -- there is no way to have a smooth transition between the two authorisation methods. Saying that chip & PIN is insecure because of this is foolish. The time to review chip & PIN is when it has been fully implemented."
Adam, this is exactly the problem, the mag strip is recognised through out the world Chip-n-Pin is not and is unlikley to be so for some considerable period of time (if ever, beter systems are likely to happen long before then).
Spain had a secure system in Spain only take the card abroad and bingo all the old frauds still work... It's the same with Chip-n-Pin, what is worse is that where I used to have an ATM card that could only be used in the UK, I now have a Chip-n-Pin that can be used just about any where in the world on the mag stripe, not just for money but in any way the credit industry has decided to encode on the card without my permision.
As I said and will to continue to maintain,
1, Chip-n-Pin is insecure and is likley to remain so for the foreseable future.
2, A multipurpose card (credit / switch / ATM / debit / whatever) has too many failier modes to be secureable by the end user.
Neither of these problems have been addressed by the banks and they have absolutly no interest in doing so, they can have and will hide behind their security and legal depts, disclaiming all responsability.
The sole intent of the system was to move liability onto the people least able to defend themselves ie the end user, for the banks and credit industry to even pretend otherwise was rediculous.
In the same way that most security profesionals do not have online bank accounts, most also do not like the idea of combined cards, especially when the liability cannot be controled by the end user.
Statements such as "assuming Chip&PIN is more secure than a signature..." mean nothing without qualification about which threats are being considered, unless the threats are the same. Although the general threat of "unauthorised use of credit card" is the same, the mechanisms by which this can be achieved are very different, so the general statement is usually unhelpful.
Chip&PIN, compared with use of a signature, is essentially only beneficial against one particular threat, which is a card stolen without further knowledge of use or personal information (e.g. stealing a wallet or purse, provided there isn't a list of PINs in it); This benefit is further only achieved provided that the PIN is mandatory in order to use the card, which currently it obviously isn't - this situation may improve once the "honeymoon" period of Chip&PIN introduction is over, and transactions will no longer be accepted without it. In the meantime, of course, security is even weaker, with self service checkouts only requiring a swipe and no PIN _or_ signature, which is appalling. At customer's request, issuing a card _without_ a signature strip, to enforce PIN usage (and rejection without it) could be an interesting option.
The information I would like information on, in the light of the above, would be a statistical breakdown of the methods of breach (in general terms, not technical specific terms to tell everyone how to do it), so we could see whether securing against this particular risk is worthwhile anyway (and even this ignores the question of whether an altered mode of attack would likely be taken in response by the attackers).
Basically what it all comes down to is trust. If you don’t feel comfortable taking money, or singing a contract with someone using an electronic media than don’t, but we all know that 99% of the time everything is fine. Criminals will be criminals and unfortunately that means they will figure a way around any system we come up with. Because the only way to lock them out is to lock everyone else out as well.
We use PrivaSign.com (https://privasign.com) for all of our electronic signature needs, and really it provide a lot of circumstantial information which helps with non-repudiation, but if someone really wants to fake a signature or ID they can, but really that is not PrivaSign.com’s problem as much as it is our business process problem. With Credit card merchants it is a double edge sword. You want the business, but you need speed as well, so unfortunately people will be able to take advantage of your vulnerability regardless of the technology put in place.
Is Privasign even in business anymore? Their web site is dead and they probably never really got started. Hope that security was good for you!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.